Simple shell spawning when using notepad to open. If illmob wanted to they could actually mask the application's presence and put notepad back. I don't know why they didn't do that in the first place.
I guess they didn't make it, but malware.com has been dead for centuries so I don't know where this actually came from.
Yorn
Nov 6 2003, 04:48 PM
Oh yeah, you might want this so it doesn't run it anymore.
And I'm not going to deltree anyone's windows except the idiots that PM me on here saying "Yo' Dude! It doesn't work on patched computers, man. What do I do to get it to work on a computer with patched IE?"
The answer in all those cases is usually: "Hell, I don't know."
So when I don't even bother to type up a response they get all upset and ask me again and why I'm avoiding them. Ugh. I don't mind feedback on stuff I've written, but I'd like it to be in a thread I wrote on here or via email. I guess maybe I'm just being too picky.
'tppabs=" ?? lmao... was wondering about that myself.....hmm
maybe jst a gliche in my copy & Paste Technique...
*Shrugs*... And yep I jst get PM'd for Passwordz that are so Obvious ppl jst plain over look it!..
lmao...
Apart from that I better be doin some Studying...up on my html skillz ehh?
lmao..
CIAO!
aiboforcen
Nov 9 2003, 02:14 PM
Hi, how do I convert a exe to this: jelmersArray= array(77,90,68,1,5,0,2,0,32,0,33,0,255,255,117,0,0 bla bla bal....) as in the malware exploit on illmobs site.
extreme
Nov 10 2003, 01:45 AM
I made a mistake and haven't backed up my notepad.exe I tryed to start your REG file example, but it fixed nothing. I have two notepad.exe files. One in windows/system32, and other in windows/ but they are both acting as mallware.exe when executed... I mean, I see "flames" when I execute any one of them... I guess I must find someone with XP to give me original notepad.exe...
EoS
Nov 10 2003, 12:06 PM
thats what i wanted to know in the first place, hpw to convert a exe into that code...
what
Nov 11 2003, 01:53 AM
fun exploit, i really like the burning fire. . . . Works locally fine, i'm going to see about remotely. IE's exploits just seem to be piling up. Where's the next patches, or are they just going to forget it, like DCOM. Anyways, I'll continue testing. My ISP cancelled my account, so I haven't been around for a while. I'll try content-type etc, etc, see what happens, post results later.
extreme
Nov 11 2003, 02:57 AM
Yorn, will that registry fix work for all OSes???? ALso, is this exploit local only, or it can be remote too???
Let me answer my first question... No. Your registry fix doesn't work for all OSes. I have XP Pro, and after I apply the your reg patch, TXT files are still executed by notepad.exe that is downloaded in to windows/system32, and not from original one that is in /windows/
what
Nov 11 2003, 11:23 AM
alright, this took me about five minutes to get to work remotely. The exploits are just piling up! I'll set up a proof of concept later, we'll see what happens.
extreme
Nov 11 2003, 05:51 PM
Do you think it could be done to work with Outlook express??? I tryed everything, even with triple slash(file:///), but I don't know where is temp EXE file located... You think you could help me with that?
EoS
Nov 12 2003, 09:19 AM
Im still wondering how to insert an exe of my choice into that code
extreme
Nov 13 2003, 01:18 AM
You can covert it with any EXE2VBS tool... I propose that you find one from Zombie...
matiano
Dec 21 2003, 01:15 AM
QUOTE (EoS @ Nov 12 2003, 09:19 AM)
Im still wondering how to insert an exe of my choice into that code
i´m wondering too ...how convert any exe file to decimal, which pasted here ---> jelmersArray= array(CONVERT DECIMAL CODE) ?
i´ve tried zombies EXE2VBS and cut the the dec code and put it then to the notepad exploit but it doesn`t work
can somebody please help me
trinity
Dec 21 2003, 11:39 AM
It dowsn't work for me (Win2k SP4 with 1 months old Windows Updatepatches). Bye, Tnty
matiano
Dec 28 2003, 09:32 PM
ok its works for me when i´m unpatched
somebody know... does the exploit remotely work on webserver ?
AdmiralB
Dec 28 2003, 11:39 PM
conversion probaly nids a proggie my 2cents of help
matiano
Dec 29 2003, 10:48 PM
hi AdmiralB
i dont know what you mean 2cent?
was this the answer of my question ?
sorry for my little bit english
headbanger
Jan 1 2004, 06:47 PM
QUOTE (matiano @ Dec 29 2003, 10:48 PM)
hi AdmiralB
i dont know what you mean 2cent?
was this the answer of my question ?
sorry for my little bit english
he means that its his opinion..
ara
Jan 5 2004, 05:16 AM
thank god for firebird!
thotho
Jan 5 2004, 06:27 AM
thanks 4 the exploit
piopio
Jan 13 2004, 01:16 AM
inject another exe is extremely easy... but this code seems to work only if u double click the .html file.... otherwise doesn't work via web-server... I think this is possible, any help would be appreciated.. best regards
( i know, my eng sux )
DrDoc
Jan 13 2004, 03:30 PM
Jo big thx 4 da exploit it works fine on my localhost
Cya Doc
PiP
Jan 15 2004, 02:07 AM
it gets picked up by NAV
but if u change all the variable names it seems to let it through ok
also for those who where asking how to convert your own exe's into that format here is a function i wrote in VB that will do it
CODE
' pretty self explanetry so i havnt comented much ' one small 'bug' though, remove the trailing comma (",") ' of the end of the array...Lazy coding by me.
Public Function fileToDec(file_name As String) Dim file_length As Long Dim fnum As Integer Dim bytes() As Byte Dim txt As String Dim i As Integer
file_length = FileLen(file_name)
fnum = FreeFile ReDim bytes(1 To file_length)
Open file_name For Binary As #fnum Len = file_length Get #fnum, 1, bytes Close fnum
For i = 1 To file_length txt = txt & Format$(bytes(i)) & "," Next i
Open file_name & ".txt" For Output As #fnum Print #fnum, txt Close #fnum End Function
I have tested it with a small c program and it had no problems
int main(int argc, char *argv[]){ FILE *archi; int caracter;
if (argc>1) if ((archi = fopen(argv[1],"rb")) != NULL){ while ((caracter = getc(archi)) != EOF) { printf("%d,",caracter); } putchar('#'); fclose(archi); } else { printf("No existe el archivo: %s\n",argv[1]); exit(2); }
else { printf("Falta el parámetro."); exit(3); }
return (0); }
comandline:
dumpdec.exe -f your_executable.exe >> copypaste.txt.... and copy/paste copypaste.txt in the self-exec.htm. for use in a webserver you can use the winamp+winxp exploit saludos (p/d:sorry for mi english)
DvilleStoner
Feb 26 2004, 10:41 AM
interesting reading
trdiablo
Feb 26 2004, 10:57 AM
I can't start a new topic, so i post my question here.
I have been reading a lot of posts now, and now i want to ask something.
I was surfing a site and then i tried to exploit it by typing some extra charakters behind the url.
And i added about then 9's to rubriek_id= And after that i added about 200 9's to document_id=
That resulted in this error :
Microsoft VBScript runtime error '800a0006'
Overflow: 'd_id'
/main.asp, line 43
Now i want to exploit this by using a simple javascript file to upload a new index.html to the site. I dont want to do any harm. This is just for education. I know the webmaster and he is a moron and does not care about security.
Can anyone advise me which tutorial to read or just help me with some tips? Thanx in advance en dont flame me if you think my question is stupid.
extreme
Feb 26 2004, 03:38 PM
ASP buffer overflow?? I haven't heard of a way to exploit it, but maybe someone else is more expertised.....
BrandonTurner
Feb 26 2004, 08:28 PM
ok, i got that program but when i put my string in the .html it is way too long and causes a memory overflow error. i noticed that the malware.exe(fire thing) is only 2.1 kb which is really small compared to my 243 kbs exe and the malware string is much smaller then mine. is there anyway to fix this?
edit: i fixed it, you just have to open it up in notepad and use word wrap and then save it and it can handle it i guess. :-/
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Anyways, I'll continue testing. My ISP cancelled my account, so I haven't been around for a while. I'll try content-type etc, etc, see what happens, post results later.
2cent?
saludos (p/d:sorry for mi english)
